From a25138229acacbe60b77d5a21fb6448c42424eb9 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 13 Jul 2023 13:16:17 +0200 Subject: [PATCH 1/3] add architectural decisions log and first decision --- fast/docs/0-bootstram-user-iam.md | 33 +++++++++++++++++++++++++++++++ fast/docs/README.md | 3 +++ 2 files changed, 36 insertions(+) create mode 100644 fast/docs/0-bootstram-user-iam.md create mode 100644 fast/docs/README.md diff --git a/fast/docs/0-bootstram-user-iam.md b/fast/docs/0-bootstram-user-iam.md new file mode 100644 index 0000000000..03131ff1b2 --- /dev/null +++ b/fast/docs/0-bootstram-user-iam.md @@ -0,0 +1,33 @@ +# Remove initial gcloud commands needed to bootstrap + +## Status + +Rejected. + +## Context + +The initial `gcloud` commands that grant IAM roles to the user running `apply` for the first time, are sometimes seen an extra hurdle and an unnecessary complication. + +These are the roles in question + +- `roles/logging.admin` +- `roles/owner` +- `roles/resourcemanager.organizationAdmin` +- `roles/resourcemanager.projectCreator` + +One proposal we investigated was internalizing those IAM bindings in the actual Terraform code, either via bare resources or an additional organization module invocation, and depending subsequent resources on it. + +On further investigation, this poses a few challenges + +- the roles in question are managed authoritatively, and it would be best they remained so (e.g. to clear the Project Creator role, or ensure Organization Administrators match what is in the code) +- project creation depends on those roles, but this creates a cycle dependency as the service accounts created are also assigned those roles, and they cannot implicitly depend (via the project) on the same roles + +Working around this issue would require a substantial amount of hoops and a lot of development effort. It would also result in potentially less safe and more fragile code. + +## Decision + +What the decided is to leave those external commands in place, as the hurdle is minimal and not worth the expense and risks of removing it. + +## Consequences + +Nothing changes due to this decision. diff --git a/fast/docs/README.md b/fast/docs/README.md new file mode 100644 index 0000000000..d6c722c233 --- /dev/null +++ b/fast/docs/README.md @@ -0,0 +1,3 @@ +# FAST architectural documents + +This folder contains assorted bits of documentation used to log current architectural choices, or past decisions. Format is inspired by [Michael Nygard's decision record template](https://github.com/joelparkerhenderson/architecture-decision-record/blob/main/templates/decision-record-template-by-michael-nygard/index.md). From 68a9fbce936f3e85ddef319e4b77cdc096dc2a1b Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 13 Jul 2023 13:19:40 +0200 Subject: [PATCH 2/3] add header --- fast/docs/0-bootstram-user-iam.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fast/docs/0-bootstram-user-iam.md b/fast/docs/0-bootstram-user-iam.md index 03131ff1b2..af3be64e8d 100644 --- a/fast/docs/0-bootstram-user-iam.md +++ b/fast/docs/0-bootstram-user-iam.md @@ -1,5 +1,8 @@ # Remove initial gcloud commands needed to bootstrap +**authors:** [Ludo](https://github.com/ludoo)\ +**date:** July 13, 2023 + ## Status Rejected. From 50ca22fcf8a18d12314920fd19c963e28a0c6b1c Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 13 Jul 2023 13:21:42 +0200 Subject: [PATCH 3/3] typo --- fast/docs/0-bootstram-user-iam.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/docs/0-bootstram-user-iam.md b/fast/docs/0-bootstram-user-iam.md index af3be64e8d..1a938d8a2a 100644 --- a/fast/docs/0-bootstram-user-iam.md +++ b/fast/docs/0-bootstram-user-iam.md @@ -29,7 +29,7 @@ Working around this issue would require a substantial amount of hoops and a lot ## Decision -What the decided is to leave those external commands in place, as the hurdle is minimal and not worth the expense and risks of removing it. +What we decided is to leave those external commands in place, as the hurdle is minimal and not worth the expense and risks of removing it. ## Consequences